If you’re tired of setting up SPAN sessions to capture network traffic transiting your network and Cisco router, it’s time to start using Cisco’s Embedded Packet Capture (EPC), available from IOS 12.4.20T and above. We will show you how to configure Cisco’s Embedded Packet Capture, to capture packets transiting a Cisco router, save them to its flash disk or export them directly to an ftp/tftp server for further analysis with the help of a packet analyzer such as Wireshark.

Finally, we've also included a number of useful Embedded Packet Capture troubleshooting commands to monitor the status of the capture points and memory buffer.

Let’s take a look at some of the basic features offered by Embedded Packet Capture:

Before we dive into the configuration of Cisco EPC, let’s explain the two terms used during the EPC configuration: Capture Buffer & Capture Point. We’ll use figure 1 to help illustrate the terms.

Capture Buffer

Capture buffer is an area in memory for holding packet data. There are two types of Capture Buffers: Linear and Circular.

Linear Capture Buffer: When the capture buffer is full, it stops capturing data.Circular Capture Buffer: When the capture buffer is full, it continues capturing data by overwriting older data.

Capture Point

Capture point is a traffic transit point where a packet is captured. Capture points need to define the following:

IPv4 or IPv6

CEF (Cisco Express Forwarding or Process-Switched

Interface e.g Fast Ethernet0, Dialer0 etc.

Direction of traffic to the interface: in (ingress), out (engress) or both

Configuring Cisco Embedded Packet Capture

EPC configuration is an easy 5 step configuration process. Examining the diagram below, our goal is to capture ingress & egress packets on interface FastEthernet0 from workstation 192.168.3.2 to and from Firewall.cx:

Figure 2. Capturing packets betwen host 192.168.3.2 and Firewall.cx

Note: None of the below configuration commands, except the optional access lists (filters), will be stored in the router's running-configuration or startup-configuration. 'Monitor' commands are only stored in the router's RAM and are lost after a router reboot.

STEP 1 - Define a Capture Buffer

The capture buffer will store the packets to be captured. Our capture buffer will be named firewallcx_cap and will have size of 1024KB (1 Mb), which is the default size and will be set to linear type buffer:

R1# monitor capture buffer firewallcx_cap size 1024 linear

STEP 2 – Define the traffic to be captured (optional)

We can optionally configure to capture specific traffic. In our case, we need to capture traffic between hosts 192.168.3.2 and 208.86.155.203 (Firewall.cx). This is accomplished with the use of access control lists. We can make use of standard or extended access lists depending on the granularity required. If no access list is configured, all traffic will be captured.

Note: Our access list includes traffic originating from both hosts because we want to capture bidirectional traffic. If we included only one ACL statement, then only one-way traffic would be captured.

Our filter is now in place and we are ready for the next step.

STEP 3 – Define Capture Point and Parameters

Here we define which interface will be the capture point. In our case, this is Fast Ethernet0 and we’ll capture both ingress and egress packets. During this configuration phase, we need to provide a name for the capture point, we selected CPpoint-FE0 to make it easy to distinguish.

Note: It is highly advisable to ensure ip cef is enabled to ensure minimum impact on the router’s CPU. If ip cef is not enabled, a message like the one below will appear, in which case you need to enable ip cef and re-enter the command.

Export the captured buffer using the monitor capture buffer export command. Keep in mind that we must stop the capturing process before exporting the data, and also have our tftp server ready to accept the captured data:

At this point, the capture.pcap file should be located on our workstation.

We are now ready to import the data into our network analyzer for further analysis:

Figure 3. Importing packets into a Network Analyzer

Once the import process is complete, our captured packets are displayed and we can analyse them in a more user-friendly environment:

Figure 4. Packets displayed inside the network analyzer

This article introduced the Cisco Embedded Packet Capture feature offered on all Cisco router IOS platforms from version 12.4.20T and above. We explained terms used by the Embedded Packet Capture feature (Capture Buffer, Capture Point) and showed how to configured Embedded Packet Capture using 5 simple steps, but also how to export captured data from the Cisco router so that it can be imported into a network analyzer.